Home > Step by Step to Enable Windows LAPS with Azure AD
Hichem Mabrouki
7 September 2023
Lire cet article en Français

Step by Step to Enable Windows LAPS with Azure AD

Step by Step to Enable Windows LAPS with Azure AD

According to Microsoft documentation, Windows LAPS (Windows Local Administrator Password Solution) is “a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices”.

The legacy solution, Microsoft LAPS is still available, but the Windows LAPS has several advantages such as the ability to back up passwords to Azure AD, encrypt passwords in Windows Server Active Directory, and store password history.

LAPS is now natively integrated into Windows 11, Windows 10, and Windows Server.

If Windows LAPS is not available in you Windows version, you can install it manually or via Intune (Step III).


New features with Windows LAPS


Windows LAPS brings new features for on-premises AD and Azure AD scenarios.

The native version of Windows LAPS adds support for password encryption, password history, and automatic password rotation. Windows LAPS also adds Directory Services Restore Mode (DSRM) backups to improve the security of domain controllers.

Windows LAPS supports rich policy management via both Group Policy and Configuration Service Provider (CSP), and a new PowerShell module also gives IT pros better password management capabilities. Additionally, Windows LAPS adds support for hybrid-joined devices.


Enable LAPS in Azure AD


Step I


In Azure AD portal, choose “Devices”, then “Device settings”, and enable Azure AD local Administrator Password Solution.

Activation de LAPS dans Azure AD


Step II


Create an Intune Profile for Windows LAPS.

In Intune portal, select “Endpoint Security”, then “Account protection” and click on “Create policy”.

Sécurité du point de terminaison


Création d'une stratégie


Step III : Install Windows LAPS via Intune


Info: Windows Local Administrator Password Solution (LAPS) is now natively integrated into Windows 11, Windows 10, and Windows Server. This step is to install Windows LAPS via Intune.



  • Add an app in Intune to install LAPS

Before creating an app in Intune, we have to create an Azure AD group. This group will be our scope to install LAPS msi via Intune.

  • Create azure AD group
  • Add your PC to this group
  • Add new app in Intune and apply to Azure ad group as a scope


installer Windows LAPS via Intune


Step IV: Force synchronization


Force synchronization between Azure AD and the PC or the server.

After synchronization, the LAPS application should be installed, and the Intune profile applied.

Force synchronization


Step V: View Admin password


In Intune, select a device and click on overview:

View Admin password


Step VI: Rotate admin password


Step VI: Rotate admin password


Key points about Windows LAPS


The benefit of changing the password cannot be underestimated especially for SysOps administrators. SysOps administrators need to access systems with administrator’s privileges, and they must share passwords and rotate them periodically. With Windows LAPS we can rotate password and share them securely with a specific group of administrators.

Windows LAPS only supports Windows Version (10/11/2019). There is an open-source Linux and macOS implementation of Windows LAPS but it will better to integrate and support this feature by Microsoft.


Do you need help with your projects? Contact us!


This posts should interest you
Leave a Reply

Receive the best of Cloud, DevOps and IT news.
Receive the best of Cloud, DevOps and IT news.